Received December 22, 2019, accepted January 12, 2020, date of publication February 12, 2020, date of current version February 24, 2020. Digital Object Identifier 10.1109/ACCESS.2020.2973605 Classifying Proprietary Firmware on a Solid State Drive Using Idle State Current Draw Measurements T. OWENS WALKER, III 1, (Senior Member, IEEE), JUSTIN A. BLANCO 1, (Senior Member, IEEE), RYAN RAKVIC 1, ANN VANLEER1, DANE BROWN2, JAMES SHEY 1, GREGORY L. SINSLEY 1, HAU T. NGO1, AND ROBERT W. IVES1, (Senior Member, IEEE) 1Electrical and Computer Engineering Department, United States Naval Academy, Annapolis, MD 21402-5025, USA 2Cyber Science Department, United States Naval Academy, Annapolis, MD 21402-5025, USA Corresponding author: T. Owens Walker, III ([email protected]) ABSTRACT Solid state drives (SSDs) are coming under increased scrutiny as their popularity continues to grow. SSDs differ from their hard disk drive predecessors because they include an onboard layer of firmware to perform required maintenance tasks related to data location mapping, write performance, and drive lifetime management. This firmware layer is transparent to the user and can be difficult to characterize despite its clear potential to impact drive behavior. Flaws and vulnerabilities in this firmware layer have become increasingly common. In this work, we propose and analyze a technique to classify different versions of proprietary firmware on an SSD through the use of current draw measurements. We demonstrate that major groupings of firmware can be classified using current draw measurements not only from explicitly active drive states such as read and write but also from the low power idle state. We achieve pairwise classifications rates near 100% between firmware examples in these different major groupings. Coupling these results with firmware release information, we are able to infer major updates in the firmware timeline for the SSD we examined. We also develop an anomaly detector and achieve detection rates of 100% for samples that reside outside of the reference grouping. INDEX TERMS Solid state drive, SSD, current draw, power consumption, firmware, security. I. INTRODUCTION While bugs, vulnerabilities, and malware are nothing new Flaws and vulnerabilities continue to plague the growing in the cyber security field, they can be difficult to detect solid state drive (SSD) market. In 2009, Intel halted ship- when they reside in the firmware of a commercial SSD. Users ments on its X25M and X-18M SSDs due to the presence have little visibility on the functionality of this proprietary of a bug that corrupted user data [1] and researchers warned firmware that is needed to map logical memory to physical of vulnerabilities present in manufacturer supply chains [2]. flash memory and limit physical wear on the transistors. In 2013, KingFast inadvertently shipped a counterfeit SSD To expose these hidden vulnerabilities, our group has recently with fake NAND memory to a reviewer [3]. More recently demonstrated the use of current draw measurements to pro- in 2019, researchers found flaws in Crucial and Samsung vide insight into this functionality [6]–[9]. In the security con- SSDs that allow the encryption to be bypassed [4] and Intel text of malware detection, forensic analysis, and consumer was forced to release a patch to correct a privilege escalation protection, Shey et al. [6] developed an automatic classifier vulnerability in some of its enterprise SSDs [5]. capable of identifying the clearing of physical data locations while Brown et al. [7] has proposed the use of these measure- The associate editor coordinating the review of this manuscript and ments to detect firmware modification in open-source SSDs. approving it for publication was Leandros Maglaras . It has also been shown that current draw measurements can This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/ VOLUME 8, 2020 31869 T. O. Walker et al.: Classifying Proprietary Firmware on a SSD Using Idle State Current Draw Measurements be used to infer the resident file system type [8] as well as the overcome by Meijer and Gastel who demonstrated the ability presence of read and write operations [9]. to compromise proprietary, closed-source firmware on both Leveraging this prior work on side-channel current draw Crucial and Samsung SSDs using techniques that included analysis, the primary contributions of this article are as physical access and code injection [4]. In other related work, followsV the firmware of SSDs has also been modified to detect and 1) Demonstrates a technique for classifying firmware recover from ransomware attacks [12]. Our work builds on revisions in a family of proprietary firmware versions these vulnerability studies by proposing and analyzing a tech- on a commercial solid state drive using non-intrusive nique to assist investigators in distinguishing between differ- current draw measurements. ent versions of firmware that may be resident on a commercial 2) Demonstrates the use of this classification technique SSD. This would be particularly useful in scenarios in which coupled with firmware release information to infer the resident firmware is not known or the SSD is suspected major firmware revisions in the examined firmware to have been tampered with. timeline. Power-related measurements including current draw and 3) Demonstrates that classification can be accomplished associated side-channel attacks have been used extensively using current draw measurements not only from explic- in the context of both security and performance. Of note, itly active drive states (i.e., read and write) but also power analysis has been used to characterize as well as disas- from the low power idle state. semble processor instructions [13], [14], detect malware on 4) Develops an anomaly detector designed to identify programmable logic controllers [15], and classify attacks on firmware versions that differ from a reference firmware a Raspberry Pi [16]. It has also been used as part of larger or firmware grouping. side-channel analysis-based toolboxes such as SASEBO [17] and RamDPA [18]. In direct application to SSDs, current To our knowledge, this is the first examination of side channel draw measurements have been used to characterize write leakage for a family of proprietary firmware versions using performance on the Intel X25M and the Samsung MXP SSD power-related metrics and the first work to perform classifi- families [19]. cation based solely on idle state current draw measurements. The work presented here follows a recent string of advance- In practical application, the techniques provided here would ments in the use of current draw to infer SSD operations and allow a researcher or security analyst to infer whether or characterize SSD parameters. Current draw measurements not the firmware installed on the SSD was a member of have been used to infer TRIM operations [6] as well as the reference firmware grouping without the need to reverse read and write operations [9]. They have also been used engineer it. to characterize the file system in use on the SSD [20] and This article is organized as follows. Related work is dis- the encryption algorithm present [21]. Most recently, current cussed in SectionII while Section III details the relevant draw measurements have been proposed to detect modifica- firmware versions and identifies the four observed modes tions of firmware on an open-source SSD [7]. While this work of operation for the firmware. The experimental setup is evolved from these earlier findings, it is the first to demon- described in SectionIV and the accompanying analysis is strate the ability to characterize SSDs using the low power presented in Section V. Section VI presents the results and idle state and it is the first to classify a family of proprietary, the article finishes with conclusions and future work in closed-source firmware versions on a commercial, off-the- Section VII. shelf SSD. This article builds upon a set of initial findings presented II. RELATED WORK in [22]. This earlier work demonstrated the ability to distin- As their popularity grows, the security of SSDs has come guish between two firmware versions using read and write under increased scrutiny by researchers in the past several operations on files of different sizes. In the current work, several years. In this section, we review the relevant exist- we have demonstrated the ability to classify firmware ver- ing literature. We begin with a brief discussion of other sions using the idle state only and have extended the analysis firmware-focused security research being conducted on SSDs to the family of firmware versions available for the SSD under and then provide a discussion of power-related side channel examination. This has led to important insights, particularly analysis both as it relates to computer systems and processors in terms of recognizing major updates within this examined in general as well as SSDs specifically. firmware family. We also assess the potential effectiveness of Like their hard disk drive predecessors [10], the firmware an anomaly detector based on this technique. on SSDs is vulnerable to compromise regardless of whether it is open- or closed-source. Representative of the former, III. FIRMWARE SPECIFICATIONS AND Bogaard and Bruijn demonstrated the feasibility of insert- OPERATING MODES ing a functioning backdoor into open-source SSD firmware The Crucial m4 SSD, released in 2011, was selected for [11] but recognized that this would be significantly more this work because a substantial number of firmware release difficult on proprietary firmware where access was restricted versions are publicly available for it and the associated by the manufacturer. This latter challenge has recently been firmware upgrade utility provides the ability to both upgrade 31870 VOLUME 8, 2020 T. O. Walker et al.: Classifying Proprietary Firmware on a SSD Using Idle State Current Draw Measurements and downgrade the firmware. (Specifications for the Crucial TABLE 2. Host computer specifications and configuration.